Highlygifted Posted March 21, 2009 Share Posted March 21, 2009 I recently did a system restore to fix a microphone problem but that led to a chronic BSOD 5 minutes into login and I'm working in safe mode now.http://www.megaupload.com/?d=S7BREYV3 Is my dump, if anyone would please read and help me with my predicament, it'd be appreciated. Link to comment Share on other sites More sharing options...
cluberti Posted March 21, 2009 Share Posted March 21, 2009 I cannot see anything but the crashing thread - there's an LPC message there that would have given some clues, but because you got a mini dump only, the only thing it captures is the thread state at the time of the crash. You'll need a complete dump (see the sticky at the top of this section) before we can really help you. It could very well be the A/V (it's on the stack right before the call to TerminateProcess), but there's no way to say for sure without at least seeing what's at the other end of that LPC chain. Link to comment Share on other sites More sharing options...
Highlygifted Posted March 21, 2009 Author Share Posted March 21, 2009 The full size is 2GB which led me to read it myself by barely installing it in regular before BSOD. The results stayed the same- Probably caused by : csrss.exe There is a question though. When it was creating the full dump, the BSOD hit a tick of 50 and then rebooted. Should it have normally hit 100? I also suffered from a lack of ability to connect to the internet afterwards so I had to remove Full Dump. Link to comment Share on other sites More sharing options...
cluberti Posted March 21, 2009 Share Posted March 21, 2009 It may skip from 50 to 100 percent, depending. And yes, it will be csrss.exe, but we would need the data in the full dump. Otherwise, there's not a good way to answer your question -csrss.exe was *told* to close because some other problem on the system (not with csrss) caused it to need to terminate.Without a full dump, the answer is only a guess (your antivirus). Link to comment Share on other sites More sharing options...
Highlygifted Posted March 21, 2009 Author Share Posted March 21, 2009 How should I analyze the full dump file? I have it, but the tool I was told to use says there's missing symbols which I've installed. Link to comment Share on other sites More sharing options...
cluberti Posted March 21, 2009 Share Posted March 21, 2009 How should I analyze the full dump file? I have it, but the tool I was told to use says there's missing symbols which I've installed.To fix the symbols after you've opened the .dmp file in windbg, run:.sympath SRV*C:\symbols*http://msdl.microsoft.com/download/symbols; .reloadThen, run !analyze -v to see the bugcheck analysis (which you already know), then run !thread. You'll see a note in the output "LPC Server thread working on message Id <message #>" - run:!lpc message <message #>This will tell you what the *client thread* number is (a 6 number ID). run:.thread <thread #>; .reload; !thread <thread #>This will give you the client thread of the server csrss.exe lpc thread that crashed.If you want to see what I did recently, see the end of this post. Link to comment Share on other sites More sharing options...
Highlygifted Posted March 21, 2009 Author Share Posted March 21, 2009 (edited) I copy paste.sympath SRV*C:\symbols*http://msdl.microsoft.com/download/symbols; .reloadhttp://img15.imageshack.us/my.php?image=step1o.pngIs the result. What should I do? Thank you for your help.Update: After a day of effort, I've done more work. Chkdsk from the Command Line shows no problem, neither does CCleaner, save a few-http://img3.imageshack.us/my.php?image=step2e.pngHonestly, I'm lost on what to do. I'm tired of this issue but I refuse to take the most drastic line of action. Is there anything I can do with the Windows XP disc? Tried to do a Repair Install- Session 3 Initialization Failed 0x0000006F Should I try again? Edited March 21, 2009 by Highlygifted Link to comment Share on other sites More sharing options...
cluberti Posted March 22, 2009 Share Posted March 22, 2009 If you can zip the dmp file, PM me for an FTP upload location. Link to comment Share on other sites More sharing options...
Highlygifted Posted March 22, 2009 Author Share Posted March 22, 2009 (edited) http://www.megaupload.com/?d=6HHMOHCV I uploaded the kernel version, will this work?ADDITIONAL_DEBUG_TEXT: Use '!findthebuild' command to search for the target build information.If the build information is available, run '!findthebuild -s; .reload' to set symbol path and load symbols.MODULE_NAME: csrssFAULTING_MODULE: 00000000 DEBUG_FLR_IMAGE_TIMESTAMP: 0PROCESS_OBJECT: 8a6ccb48IMAGE_NAME: csrss.exeDEFAULT_BUCKET_ID: DRIVER_FAULTBUGCHECK_STR: 0xF4STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong.b620dcd0 805d03ab 000000f4 00000003 8a6ccb48 nt!KeBugCheckEx+0x1bb620dcf4 805d12af 805d1204 8a6ccb48 8a6cccbc nt!PsSetLegoNotifyRoutine+0x105b620dd24 b5f77451 8a6ccd90 c0000005 b620dd64 nt!PsGetProcessExitTime+0xa87b620dd54 8054088c 00000000 c0000005 033febcc avipbb+0x5451b620dd64 7c90eb94 badb0d00 033feb94 00200061 nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb74b620dd68 badb0d00 033feb94 00200061 00540028 0x7c90eb94b620dd6c 033feb94 00200061 00540028 00000000 0xbadb0d00b620dd70 00200061 00540028 00000000 00000000 0x33feb94b620dd74 00540028 00000000 00000000 00000000 0x200061b620dd78 00000000 00000000 00000000 00000000 0x540028STACK_COMMAND: kbFOLLOWUP_NAME: MachineOwnerBUCKET_ID: WRONG_SYMBOLSFollowup: MachineOwner Is all the information I can get on my behalf using your instructions. Edited March 22, 2009 by cluberti added code tags to tidy the post up a bit Link to comment Share on other sites More sharing options...
cluberti Posted March 22, 2009 Share Posted March 22, 2009 You have the same problem as this guy - sqlcmd.exe is probably causing it. See the above post, then look at this - again, it's only kernel mode, but I'd guess a user-mode dump would also look the same as the one in the post linked above. Take a look:// csrss.exe crashing, as we're already aware:1: kd> !threadTHREAD 89ff66e8 Cid 037c.0404 Teb: 7ffd6000 Win32Thread: e2b619e8 RUNNING on processor 1Impersonation token: e2cb9988 (Level Impersonation)Owning Process 0 Image: <Unknown>Attached Process 8a6ccb48 Image: csrss.exeWait Start TickCount 9749 Ticks: 0Context Switch Count 907 LargeStackUserTime 00:00:00.093KernelTime 00:00:00.046Win32 Start Address 0x000085c6LPC Server thread working on message Id 85c6Start Address 0x75b44616Stack Init b620e000 Current b620d744 Base b620e000 Limit b620b000 Call 0Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 16ChildEBP RetAddr Args to Child b620dcd0 805d03ab 000000f4 00000003 8a6ccb48 nt!KeBugCheckEx+0x1b (FPO: [5,0,0])b620dcf4 805d12af 805d1204 8a6ccb48 8a6cccbc nt!PspCatchCriticalBreak+0x75 (FPO: [3,0,0])b620dd24 b5f77451 8a6ccd90 c0000005 b620dd64 nt!NtTerminateProcess+0x7d (FPO: [2,4,4])WARNING: Stack unwind information not available. Following frames may be wrong.b620dd54 8054088c 00000000 c0000005 033febcc avipbb+0x5451b620dd54 7c90eb94 00000000 c0000005 033febcc nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b620dd64)033febcc 00000000 00000000 00000000 00000000 0x7c90eb94// Since there's no user-mode portion to a kernel-only dump, we can't see the whole stack,// but we can see that we're trying to run code at 7c90eb94:1: kd> .trap b620dd64ErrCode = 00000000eax=00000000 ebx=00000001 ecx=033feb40 edx=7c90eb94 esi=00000000 edi=033febf4eip=7c90eb94 esp=033feb8c ebp=033febcc iopl=3 nv up ei pl nz na pe cycs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00003207001b:7c90eb94 ?? ???// Checking the lpc message from the csrss.exe thread, we can see that the client to the// csrss.exe server thread above is 8920ea28:1: kd> !lpc message 85c6Searching message 85c6 in threads ... Server thread 89ff66e8 is working on message 85c6 Client thread 8920ea28 waiting a reply from 85c6 Searching thread 8920ea28 in port rundown queues ...Server communication port 0xe2313830 Handles: 1 References: 1 The LpcDataInfoChainHead queue is empty Connected port: 0xe1a8bf68 Server connection port: 0xe1522ec0Client communication port 0xe1a8bf68 Handles: 1 References: 3 The LpcDataInfoChainHead queue is emptyServer connection port e1522ec0 Name: ApiPort Handles: 1 References: 140 Server process : 8a6ccb48 (csrss.exe) Queue semaphore : 8a6d47e8 Semaphore state 0 (0x0) The message queue is empty The LpcDataInfoChainHead queue is emptyDone. // Looking at thread 8920ea28, we can see it's sqlcmd.exe, just like the post I linked above:1: kd> !thread 8920ea28THREAD 8920ea28 Cid 0bd8.0bdc Teb: 7ffdf000 Win32Thread: e10e1008 WAIT: (WrLpcReply) UserMode Non-Alertable 8920ec1c Semaphore Limit 0x1Waiting for reply to LPC MessageId 000085c6:Current LPC port e1a8bf68Not impersonatingDeviceMap e1009228Owning Process 0 Image: <Unknown>Attached Process 89264730 Image: sqlcmd.exeWait Start TickCount 9747 Ticks: 2 (0:00:00:00.031)Context Switch Count 61 LargeStackUserTime 00:00:00.000KernelTime 00:00:00.000Win32 Start Address 0x01019521Start Address 0x7c810867Stack Init b9d30000 Current b9d2fc50 Base b9d30000 Limit b9d2c000 Call 0Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0ChildEBP RetAddr Args to Child b9d2fc68 80502d46 8920ea98 8920ea28 804faf40 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])b9d2fc74 804faf40 8920ec1c 8920ebf0 8920ea28 nt!KiSwapThread+0x8a (FPO: [0,0,0])b9d2fc9c 805a1e87 00000001 00000011 0006d401 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])b9d2fd50 8054088c 000007ec 0006d4a0 0006d4a0 nt!NtRequestWaitReplyPort+0x63d (FPO: [Non-Fpo])b9d2fd50 7c90eb94 000007ec 0006d4a0 0006d4a0 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b9d2fd64)WARNING: Frame IP not in any known module. Following frames may be wrong.0006d46c 00000000 00000000 00000000 00000000 0x7c90eb94// Again the trap frame showing us trying to run code from 7c90eb94:1: kd> .trap b9d2fd64ErrCode = 00000000eax=339a6000 ebx=00000000 ecx=0000ffff edx=00000002 esi=0006d4a0 edi=001a0688eip=7c90eb94 esp=0006d44c ebp=0006d46c iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246001b:7c90eb94 ?? ???// I can see you attempting to run a SQL update, again, just like the previous post I linked:PROCESS 89231938 SessionId: 0 Cid: 0a74 Peb: 7ffd8000 ParentCid: 0924 DirBase: 0af901c0 ObjectTable: e12052e8 HandleCount: 42. Image: SQLServer2005ExpressSP3-KB955706-x86-ENU.exeWhat worked for the other person was to stop all SQL services (entirely), make sure sqlcmd.exe wasn't running, and *then* install all SQL updates. After a reboot, everything was fine - considering you have the *exact* same crash, and I can see a SQL update running, I'm guessing this is also the same problem. Link to comment Share on other sites More sharing options...
Highlygifted Posted March 22, 2009 Author Share Posted March 22, 2009 So is it vital or anything? Should/how would I just remove it or replace it if it is important. Link to comment Share on other sites More sharing options...
cluberti Posted March 22, 2009 Share Posted March 22, 2009 So is it vital or anything? Should/how would I just remove it or replace it if it is important.Updating to SQL 2005 SP3 is important, yes - I would set all SQL services to disabled in services (services.msc), reboot, let Windows Update install the update, then set all SQL services back to their previous settings and reboot.That should fix it. Link to comment Share on other sites More sharing options...
Highlygifted Posted March 22, 2009 Author Share Posted March 22, 2009 (edited) Thanks, I'll get to it- but how would I stop all SQL services? I tried reading some instructions but it didn't get me anywhere. Edit: IT WORKS! Thank you so much for your help. This was the first really serious situation where I relied on professional help to actually pull through. Before I never had to actually rely so whole heartedly on aid. This whole ordeal has showed me how much more I have to learn. Thanks Again. Edited March 22, 2009 by Highlygifted Link to comment Share on other sites More sharing options...
cluberti Posted March 22, 2009 Share Posted March 22, 2009 No worries, glad to hear it works. Link to comment Share on other sites More sharing options...
cluberti Posted March 23, 2009 Share Posted March 23, 2009 For what it's worth, it looks like this was documented:http://blogs.msdn.com/psssql/archive/2009/...ermination.aspx Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now